CVE-2025-14577

CRITICAL

Slican NCP/IPL/IPM/IPU - Code Injection

Title source: llm

Description

Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint. This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU).

References (2)

[Various Sources] https://cert.pl/posts/2026/02/CVE-2025-14577

[Various Sources] https://www.slican.pl/oferta/centrale-telefoniczne/

Scores

CVSS v3 9.8

EPSS 0.0011

EPSS Percentile 29.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-306

Status published

Affected Products (4)

slican/ncp_firmware < 1.24.0190

slican/ipl-256_firmware < 6.61.0010

slican/ipm-032_firmware < 6.61.0010

slican/ipu-14_firmware < 6.61.0010

Timeline

Published Feb 24, 2026

Tracked Since Feb 24, 2026